CVE-2025-53659: 
Java vulnerability analysis and mitigation

CVE-2025-53659 affects the Jenkins QMetry Test Management Plugin versions 1.13 and earlier. The vulnerability was discovered and disclosed on July 9, 2025, impacting the plugin's handling of API keys. This security issue is part of a broader security advisory that identified multiple vulnerabilities across various Jenkins plugins (Jenkins Advisory).

The vulnerability is classified as a Medium severity issue according to CVSS scoring, with a CVSS 3.1 base score of 6.5 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The technical issue stems from the plugin storing Qmetry Automation API Keys in an unencrypted format within the job config.xml files on the Jenkins controller. The vulnerability is categorized under CWE-311 (Missing Encryption of Sensitive Data) (NVD).

The vulnerability exposes sensitive API keys to unauthorized access. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these unencrypted API keys. Additionally, the job configuration form's failure to mask these API keys increases the risk of credential exposure through visual observation (Jenkins Advisory).

As of the advisory's publication date (July 9, 2025), no fix is available for this vulnerability in the QMetry Test Management Plugin. Organizations using affected versions (1.13 and earlier) should implement additional access controls to restrict access to the Jenkins controller file system and carefully manage Item/Extended Read permissions (Jenkins Advisory).